Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Evasion-Resistant Network Scan Detection

Published

Author(s)

Richard Harang, Peter Mell

Abstract

Popular network scan detection algorithms operate through evaluating external sources for unusual connection patterns and traffic rates. Research has revealed evasive tactics that enable full circumvention of existing approaches (specifically the widely cited Threshold Random Walk algorithm). To prevent use of these circumvention techniques, we propose a novel approach to network scan detection that evaluates the behavior of internal network nodes, and combine it with other established techniques of scan detection. By itself, our algorithm is an efficient, protocol-agnostic, completely unsupervised method that requires no a priori knowledge of the network being defended beyond which hosts are internal and which hosts are external to the network, and is capable of detecting network scanning attempts regardless of the rate of the scan (working even with connectionless protocols). We demonstrate the effectiveness of our method on both live data from an enterprise-scale network and on simulated scan data, finding a false positive rate of just 0.000034% with respect to the number of inbound flows. When combined with both Threshold Random Walk and simple rate-limiting detection, we achieve an overall detection rate of 94.44%.
Citation
Security Informatics (a Springer OpenJournal)
Volume
4
Issue
4

Keywords

algorithms, experimentation, intrusion detection systems (IDS), measurement, network scanning, security

Citation

Harang, R. and Mell, P. (2015), Evasion-Resistant Network Scan Detection, Security Informatics (a Springer OpenJournal), [online], https://doi.org/10.1186/s13388-015-0019-7, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=915071 (Accessed October 5, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created May 8, 2015, Updated October 12, 2021